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Summary 



The privacy provisions of the Gramm- Leach-Bliley Act of 1999 (P.L. 106-102) do 
not permit customers to preclude financial institutions from sharing nonpublic personal 
information with affiliated companies; they merely require companies to notify their 
customers of their practices of information sharing with affiliates. Until the Fair Credit 
Reporting Act (FCRA) was amended in 1996, sharing of such information with affiliates 
might have subjected a company to being regulated as a credit reporting agency. Under 
provisions added in 1996, 15 U.S.C. §§ 168 la(d)(2)(A)(ii) and (iii), which preempt 
inconsistent state law, companies have been permitted to share among their corporate 
family a broad range of data they have collected on their customers provided they have 
given the customers the opportunity to preclude, i.e., opt out of, the information sharing. 
P.L. 108-159 makes these FCRA preemptions permanent and provides a limited opt-out 
from affiliate sharing of consumer information for the purpose of marketing 
solicitations. This report will be updated to reflect action on major legislation. For 
related information see CRS Report RL31758, Financial Privacy: The Economics of 
Opt-In vs Opt-Ouf, CRS Report RL31847, The Role of Information in Lending: The 
Cost of Privacy Restrictions; CRS Report RS21449, Fair Credit Reporting Act: 
Preemption of State Law; and CRS Report RL32535, Implementation of the Fair and 
Accurate Transactions (FACT) Act of 2003. 



Background. Although confidentiality standards for businesses dealing in 
consumer information have traditionally been a matter of state law, both the Fair Credit 
Reporting Act of 1970 (FCRA) 1 and the privacy title of the Gramm-Leach-Bliley Act of 
1999 (GLBA) 2 have meant that federal law generally controls the dissemination of 



1 P.L. 91-508, tit. VI, §§ 601 et seq.; 88 St at. 1521;15 U.S.C. §§ 1681 - 1681u. 

2 P.L. 106-102, 113 Stat. 1338 (1999). 

Congressional Research Service ❖ The Library of Congress 










http://wikileaks.org/wiki/CRS-RS21427 



CRS-2 



consumer credit information and governs the disclosing and safeguarding of nonpublic 
personal information held by a wide array of financial institutions. 3 

GLBA generally prohibits the disclosure of nonpublic personal information on a 
customer or consumer by financial institutions unless the consumer is given an 
opportunity to prevent disclosure, i.e., opt-out; but it contains no prohibition on sharing 
of customer information among affiliates. It requires each financial institution to notify 
customers of its privacy policies and practices including those related to information 
sharing with affiliates. 4 FCRA prescribes standards that address information collected by 
businesses that provide information used to determine eligibility of consumers for credit, 
insurance, or employment. It imposes requirements for accuracy, limits purposes for 
which such information may be disseminated, allows certain rights for consumer access, 
and includes civil and criminal penalties for its violation. It generally defines “consumer 
reports” and limits the purposes and conditions under which “consumer reports” may be 
furnished by entities that it refers to and regulates as “consumer reporting agencies.” 5 

Apparently, in response to concern that information sharing among affiliated 
companies might be interpreted as providing consumer reports, thereby subjecting banks, 
insurance companies, and securities firms to all of the obligations imposed upon 
consumer reporting agencies under the FCRA, 6 the FCRA was amended by the Consumer 
Credit Reporting Reform Act of 1996. 7 Under these amendments, 8 the FCRA’ s definition 
of “consumer report” was amended to exclude communication of transaction and 
experience information among corporate affiliates and, — provided the consumer was 
afforded an opportunity to prevent it, i.e., opt out — communication of other information 



3 “Financial institution” is defined to mean “any institution the business of which is engaging 
in financial activities as defined under section 103 of GLBA, § 4k [12 U.S.C. §1843(k)] of the 
Bank Holding Company Act of 1956.” Essentially, these include banking, securities, and 
insurance activities as enumerated in GLBA and other activities found by the Board of Governors 
of the Federal Reserve Board, with the concurrence of the Secretary of the Treasury, either (1) 
to be financial in nature or (2) not posing a risk to the safety or soundness of depository 
institutions or the financial system generally and complementary to a financial activity. There 
are, however, exceptions for persons subject to regulation by the Commodity Futures Trading 
Commission under the Commodity Exchange Act, entities chartered under the Farm Credit Act 
of 1971, and entities engaged in secondary market operations as long as they do not transfer 
nonpublic personal information to a nonaffiliated third party. 

4 15 U.S.C. § 6803. 

5 15 U.S.C. § 1681b. See generally, CRS Report RL31666, Fair Credit Reporting Act: Rights 
and Responsibilities. 

6 See, e.g., Joseph L. Seidel, “The Consumer Credit Reporting Reform Act: Information Sharing 
and Preemption,” 2 North Carolina Banking Institute 78, 82-83 (1998) (hereinafter, “Seidel”). 
L. Richard Fischer, Michel F. McEneney, and Clarke D. Camper, “Fair Credit Reporting Act 
Amendments: Compliance Issues for Banks,” 18 ABA Bank Compliance 7 (1997) ( available in 
LEXIS, BANKNG Library, ARCNWS file). 

7 P.L. 104-208, Div. A, Tit. II, Subtitle D, Ch. 1, § §2401 2422,2419, 1 10 Stat. 3009, 3009-396 
to 3009 - 454. 

8 P.L. 104-208, Div. A, Tit. II, Subtitle D, Ch. 1, § 2419, 1 10 Stat. 3009-452, adding 15 U.S.C.§ 
161 8t(b)(2). 
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concerning the consumer among affiliates. 9 Essentially, these provisions permit 
companies to share with their affiliates certain customer information respecting their 
transactions and experience with a customer without any notification requirements. 10 
Other information about their customers, such as credit reports and application 
information, may not be shared with other companies in the corporate family unless the 
customers are given “clear and conspicuous” notice about the sharing and an opportunity 
to direct that the information not be shared. 1 1 

FCRAand GLBA Preemption Language. The FCRA preemption of state law 
regarding affiliate sharing of information, as amended by P.L. 108-159, the Fair and 
Accurate Credit Transactions Act of 2003 (FACT), is stated in terms of an exception to 
the rule 12 that the FCRA preempts state law only to the extent of the inconsistency. It 
reads: 

No requirement or prohibition may be imposed under the laws of any State. ..(2) with 
respect to the exchange of information among persons affiliated by common 
ownership or common corporate control, except that this paragraph shall not apply 
with respect to subsection (a) or (c)(1) of section 2480e of title 9, Vermont Statutes 
Annotated (as in effect on September 30, 1999).... 13 

Under the 1996 amendments, the preemptive effect was to last until January 1, 2004, 
when states would have been able to override the FCRA authorization for interaffiliate 
sharing of customer information. 14 The legislative history shows a Congressional intent 
to establish a national standard for interaffiliate sharing of information pertinent to the 
consumer credit industry in the interest of “operational efficiency for industry ... and 
competitive prices for consumers” in the credit reporting and credit granting [industries 



9 15U.S.C. § 1681a(d)(2)(A). 

10 15 U.S.C. § 168 la(d)(2)(A)(ii). Notice is required under GLBA, 15 U.S.C. § 6803, which 
requires disclosure when the customer relationship is formed and annually thereafter of a 
financial institution’s privacy policies and practices, including those relating disclosures to 
affiliates. 

11 15 U.S.C. § 168 la(d)(2) (A)(iii). 

12 The FCRA’s general preemption clause reads: 

Except as provided in subsections (b) and (c) of this section, this subchapter does not 
annul, alter, affect, or exempt any person subject to the provisions of this subchapter 
from complying with the laws of any State with respect to the collection, distribution, 
or use of any information on consumers, except to the extent that those laws are 
inconsistent with any provision of this subchapter, and then only to the extent of the 
inconsistency. 15 U.S.C. § 168 lt(a). 

13 15 U.S.C. § 1 68 lt(2). The Vermont statute prohibits anyone from obtaining a consumer’s 
credit report without consent or a court order. 

14 15 U.S.C. § 168 lt(d)(2). This specifies that the general exceptions (including that relating to 
sharing of information among affiliates) to the rule on preemption “do not apply to any provision 
of State law (including any provision of a State constitution) that — (A) is enacted after January 
1, 2004; (B) states explicitly that the provision is intended to supplement this subchapter [15 
U.S.C. §§ 1681 - 1671u, i.e., the FCRA]; and (C) gives greater protection to consumers than is 
provided under this subchapter.” 
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that] are, in many aspects, national in scope.” 15 The 2003 legislation made the 
preemptive effect permanent. It also provided that, subject to certain exceptions, 
affiliated companies may not share customer information for purposes of marketing 
unless the consumer is provided clear and conspicuous notification that the information 
may be exchanged for such purposes and an opportunity and a simple method to opt-out. 
Among the exceptions are solicitations based on: pre-existing business relationships; 
current employer’s employee benefit plan; a consumer’s request or authorization; and, 
state unfair discrimination insurance law requirements. The 2003 amendments require 
the agencies to conduct regular joint studies of information sharing practices of affiliated 
companies and make reports to the Congress every three years, with the first report due 
no later than December 4, 2006. 

GLBA’s prohibitions deal only with sharing of nonpublic personal information by 
financial institutions with nonaffiliated third parties. There is no direct authorization of 
sharing such information among affiliated financial institutions. In essence, therefore, 
GLBA indirectly authorizes interaffiliate sharing of information by a provision 
disavowing an intent to supercede the FCRA. 16 It, therefore, preserves the conditions 
placed upon interaffiliate sharing of information in the FCRA: (1) that information other 
than experience or transaction information may be shared only upon providing customers 
an opportunity to opt-out; and (2) state laws may not preempt. This preservation of the 
FCRA runs counter to GLBA’s general preemption provision under which GLBA 
preempts state laws only to the extent that they provide less protection than GLBA. 17 
Whether or not a state law provides more protection than GLBA and is not preempted, 
however, must be determined by the Federal Trade Commission (FTC). 18 

Generally, state laws that provide more protection than GLBA, e.g., that require a 
specific form of notice respecting an institution’s privacy policy, for example, would not 
automatically be enforceable, without an FTC determination as required under GLBA 19 

State Laws. Since enactment of GLBA, there has been considerable activity in 
state legislatures on financial privacy issues, particularly in terms of making reference to 
the changes wrought by GLBA. Some states have laws that are more protective of 
consumer privacy. The California Financial Information Privacy Act of 2003 20 is one of 
these. It is the subject of litigation. 21 At least six other states, Alaska, 22 Connecticut, 23 



15 See S.Rept. 104-185, 104th Cong., 1 st Sess. (1995), reporting on S. 650 in the 104 lh Congress, 
the immediate predecessor of the legislation enacted in 1996. The time limitation derived from 
a manager’s amendment offered by Sen. Bryan in an earlier Congress. 140 Cong. Rec. S5027 
(May 3, 1993 daily ed.). 

16 15 U.S.C. § 6806. 

17 15 U.S.C. § 6807. 

18 15 U.S.C. § 6807(b). 

19 15 U.S.C. § 6807(b). 

20 Cal. Fin. Code §§ 4050-4060. 

21 See CRS Report RL32626, American Bankers Association v. Lockyer: Whether California ’s 
Financial Information Privacy Law Has Been Preempted by the Fear and Accurate Credit 

(continued...) 
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Illinois, 24 Maryland, 25 North Dakota, 26 and Vermont, 27 have current laws that would 
require an opt-in or in some way hamper the sharing of customer information among 
affiliates. None of these would, of course, operate to override the FCRA authorization of 
interaffiliate information sharing. In other states, since GLBA, there have been 
provisions enacted modifying stringent financial privacy laws to accommodate GLBA. 28 

Legislative Issues. Although P.L. 108-159 has resolved various issues related 
to the consumer credit industry and to the problem of identity theft, there are other topics 
that may be confronted in future sessions of Congress. Privacy advocates favor 
modifying GLBA to provide more protection for sensitive information; industry 
representatives are likely to be in favor of federal preemption under GLBA similar to that 
enacted for FCRA so that there is no prospect of having to comply with an array of state 
laws when information is shared with non- affiliated third parties. 

In the 109 lh Congress, S. 116 (Feinstein) generally requires businesses to provide 
notice and an opt-out to a consumer before selling or marketing personally identifiable 
information to affiliates; affirmative consent is in the case of non-affiliated third parties 
It also includes a prohibition and civil and criminal sanctions for the display, sale, or 
purchase of social security numbers without consent. It also contains provisions aimed 
at curtailing the sale of individually identifiable health information and a section on 
driver’s license privacy. 



21 (...continued) 

Transactions (FACT) Act, by M. Maureen Murphy. 

22 Alaska Stat. § 6.01.028 generally requires customer consent for a financial institution to 
disclose customer information, with no blanket exception or authorization for sharing information 
among affiliated companies, although there is permission for sharing with marketing partners. 

23 Connecticut Gen. Stat. Anno. §§ 36a-41 to 36a-44 require consent for disclosure by financial 
institutions, authorize disclosures in various circumstances, but contain no blanket exception for 
sharing of information among affiliates and place restrictions on sharing of information with 
broker-dealers. 

24 205 111. Comp. Stat. 5/48.1, et seq. 

25 Md. Code Ann. [Financial Institutions] §§ 1-301, et seq. 

26 N.D. Cent. Code §§ 6.08.1-01 to 6-08.1-08 require customer written consent for sharing of 
information among affiliates. 

27 Vermont Stat. Anno. §§ 10201 - 10205 prohibit disclosure of customer financial information 
by financial institutions except as provided in a list of exceptions, none of which appear to permit 
interaffiliate sharing of customer information. 

28 See, e.g., Florida Stat. §655.059(2)(b). (Amended to that effect in 2001). This states that 
“nothing... [in the financial privacy statute] shall prohibit a financial institution from disclosing 
financial information ...as permitted by [GLBA].” 




